Review: Web Browser Forensics: Google Chrome

/in ,

Emily C. Lennert

 

Category

Digital

Keywords

Google, Chrome, web, Internet, browser, digital, artifacts, cyber, RAM, Incognito, private

Article Reviewed

  1. Rathod, D. Web browser forensics: Google Chrome. International Journal of Advanced Research in Computer Science. 2017, 8(7).

Disclaimer

The opinions expressed in this review are an interpretation of the research presented in the article. These opinions are those of the summation author and do not necessarily represent the position of the University of Central Florida or of the authors of the original article.

Summary

Cyber criminals utilize internet browsers for malicious intent which may include the theft of confidential information such as banking credentials, social security numbers, e-mail addresses, address books, and more. Therefore, a digital forensics examiner must understand how to extract data from the internet browser to collect evidence of malicious activity. The author cites a study that indicates Google Chrome is used by 59.7% of desktop browser users, making Google Chrome the leading internet browser. Therefore, this research paper aimed to identify the sources of information that may be obtained from Google Chrome.

Previous research has primarily focused on browser log, local files, or RAM analysis. However, Google Chrome stores data in a SQLite format, allowing the data to be extracted and examined using a SQLite database viewer. Through this database viewer, history, downloads, keywords, URLs, deleted history, cookies, login data, top sites, and more may also be examined.

The history file may be obtained through the SQLite database viewer. This contains browsing information such as URLs, downloads, search terms/keywords, and more. Using the tables contained within the history file, detailed information may be obtained. This detailed information may help in an investigation.

Downloads provide information such as ID, current and target path, start time of download, received bytes, total bytes, download state, download end time, last modified time, etc. A download URL chain may also be obtained, which lists the URLs from which files have been downloaded. An example of the download table can be seen in Figure 3 within the study.

Keywords may also be obtained. This table stores the keyword as well as the keyword_id, url_id, lower_term, and term. An example of this table may be seen in Figure 4 within the study.

The URL table, noted as the most important table by the author, provides a list of URLs visited by the user. The table lists ID, URL, title, visit count, type count, last visit time, hidden, and favicon ID. A favicon, i.e. favorite icon, is the small image that appears next to the website name in the browser tab. Figure 5 within the study provides an example of the visited URL table.
Deleted history may be recovered from Google Chrome. To test this, the author intentionally deleted and then recovered the history manually. To recover the history, the previous system version of Google Chrome was recovered from the Google folder in C:\Users\admin\AppData\Local. Several options existed for the previous version which could be recovered and restored. Previous versions were listed with date and time, so a specific history could be targeted. An example of recovered history can be seen in Figure 6 within the study.

Cookies may also be recovered by this database viewer. Cookies are files that store user preferences and profile number for a website, and are created when a website is visited. When the website is re-visited, cookies will reload the user’s setting for the site. In the database viewer, creation_utc, host_key, name, value, path, expires_utc, and more may be recovered for cookies. The host_key provides details of the visited link. Figure 7 within the study shows the information that can be recovered for cookies.
Login data can also be viewed through the database viewer. Origin_url and action_url will provide a list of visited websites. Username and password information can be recovered in this table. An example of the data recovered can be seen in Figure 8 within the study. User profile is also contained in this table.

Top sites can be recovered and provides a list of the top-visited websites by the user.

Shortcuts contains two tables: Meta and Omnibox History. Omnibox is a Google Chrome feature with auto-complete capabilities. These tables contain information including id, text, URL, contents, description, last access time, number of hits, keyword, etc.
Prefetch files are files that help to reduce the startup time of an application. Prefetch files may be recovered for Google Chrome and include the last execution date and time, run count, creation date and time, and serial number. An example of the prefetch file information can be seen in Figure 9 within the study.

A RAM dump of the system may also be performed to provide private browsing artifacts. A user may visit sites in “Incognito” mode. The author visited several sites in this private browsing mode, then attempted to extract browsing information via RAM dump. The visited websites were able to be recovered via this method.

Scientific Highlights

  • While previous research has focused primarily on browser logs, local files, or RAM analysis, this study demonstrated the recovery of browsing information from a broader range of sources such as cookies, login data, top sites, prefetch files, and more.
  • Browsing data from websites visited in “Incognito” mode was recovered.

Relevance

  • Google Chrome is a popular internet browser, therefore it is vital that forensic digital examiners understand the various sources of information that may be obtained from the browser.

Potential Conclusions

  • By using a SQLite database viewer, a broad range of information may be accessed for the Google Chrome browser, which may aid in digital forensic investigations.